3651 views and 8 responses

Great video! I have a question, though. What if one is setting up a Mac OS X 10.6 Server behind a NAT router on a connection that has a static IP and a reverse DNS for that hostname?

Eg: I have a server, dargo.vjl.org, which is accessible via a public IP. But it sits behind a router and has a 192.168.0.x address. I'm in the process of setting up this Mac mini to replace a Linux box that is currently behind the router [there are actually several computers behind the router and the router does port forwarding so that certain services are provided by different computers - the Mac mini server will be providing nearly all those services, once I get it installed].

What I had setup was similar to your examples for non-public configurations. Eg: primary zone name of vjl.lan. and the machine name of dargo. But when running some of the tests to confirm things are setup properly, reverse DNS would state [correctly] that the hostname was dargo.vjl.org since that's how everyone outside the 192.168.0.x subnet sees the machine.

To complicate matters more, the Mac mini server is going to provide DNS services [because the ISP's DNS servers are not reliable] to the other 192.168.0.x systems plus a couple that exist outside the NAT router [the connection has 5 static IPs - dargo.vjl.org is one of the 5 hosts, as there is also stark, crichton, etc, but they are not living behind the NAT router]. The mac mini server will also be a secondary DNS server [ns2.vjl.org] serving name resolution for about 100 domains that are hosted on a co-located server about 50 miles from here [which also runs as ns1.vjl.org - not using BIND9 though, but using tinydns which means i need to figure out how to send updates/zone transfers to the mac mini's BIND DNS server].

Anyway, I guess my question is: should I set the primary zone name to vjl.org. and not vjl.lan.? If I do do that, will the other 192.168.0.x systems be able to use the mac mini as a DNS server [and also access the other services, like ical server, etc, that i wish to run on the mac mini].

Server Admin uses one default public view of DNS. I always wished for Apple to add a section for creating multiple views within the Server Admin DNS GUI, but alas, they never did. A split-horizon DNS configuration will have to be done at the command line.

I'd recommend picking up a copy of the DNS and BIND book from O'Reilly if you don't have a copy. It's super informative and covers things like split-horizon DNS in detail.

Hope this helps!

- Mike

Dec 30 2011, 9:34 PM

vjl (Twitter) responded:

Thanks, Mike! I've got multiple tabs open on the DNS subject and I've seen references to "split-horizon" DNS, but I hadn't found that explanation yet. I'll go and read it right now.

I've used tinydns for so long [on a linux server] that i never bothered to learn BIND [tinydns is another open source dns server written by the same guy who wrote qmail; though i am not a qmail fan, tinydns and dnscache are wonderful and i've been able to configure multiple domains with them very easily, plus use dnscache for DNS services here in the SOHO, though with the mac mini server in place, i'll be using that instead since it will be a bit quicker].

I've got a copy of DNS & BIND, but it's from 1992 [i started sysadmining SunOS, Xenix, and AIX systems back in 1990!], and back then I used it in a "fire and forget" type of way - got the systems configured they way they needed to be and learned no more than I was required to [just like sendmail, sadly - but that's why i learned and became very knowledgable in postfix and tinydns :-) ].

Anyway, I'm off to read that site and reconfigure the Mac mini sitting next to me. I'd love to start the new year off with this system in production. Thank you so much for the quick reply and for the great articles. I've added this site to my RSS reader, as I consider myself a newbie w/ regards to Mac OS X Server [i am much more comfortable with vim and text files, when administering a server!], so the fact that I must configure DNS via the command line is the best news I've heard all day. :)

Yeah Posterous kind of sucks. I've been meaning to take this site offline and redirect it to my main site again which I'll be redesigning and relaunching early this year. I just haven't had the time yet.

Let me know how it turns out! I've never personally configured it that way from scratch. In my environment now we use fancy systems from F5 to do all of our external to internal address translation and querying. We do use split views of DNS as well, but I don't personally manage nor interact with the BIND servers. I just maintain one zone, mac.rmu.edu and it's internal only so it's easy enough for me to just use the GUI most of the time.

- Mike

Dec 30 2011, 9:55 PM

vjl (Twitter) responded:

I actually have a Posterous account [that i hardly use!] and forgot I could have logged in that way; maybe it would have let me edit my comments to include a nicer paragraph break [which is controlled by the 'p' HTML element].

I'll let you know how it turns out. I may actually blog about it, as I want to get back into doing that [it's been over 7 years since my last blog post and i enjoy writing, plus when doing things like this, i like to put what i learned up on the web so that others can benefit from it or suggest things i should have done, etc;i am in the habit of taking careful notes when configuring systems, but those notes are not usually for the public eyes' since they have IPs, etc, in them, and when things go a bit bad, they have me venting about why i didn't do X before I did Y and now Z is broken etc :) ]

So far, reading the article, this appears to be exactly what I need. I'm going to have to see if I should delete what I currently have in Server Admin before doing everything. Thanks again for the link. I'm disappointed I hadn't found it in all my searches, but I'm very glad you did! :)

/vjl/

Jan 23 2013, 6:22 AM

Thierry responded:

Thanks a lot for this video Mike. It helps me a lot

Apr 9 2013, 9:11 AM

Kevin Maybury responded:

I have a server that I set up some time ago but appears that the DNS server settings have broken. Is there a procedure to follow for fixing this? Apple's documentation keeps pointing to scutil but I can't find any good examples of how to use this.